The WordPress plugin CSV to SortTable up to version 4.2 fails to validate certain shortcode attributes that are used to build file paths for PHP include functions. This deficiency permits any authenticated user with contributor-level permissions to supply malicious attribute values, resulting in a local file inclusion (LFI) vulnerability. By including unintended files from the server, the attacker can read sensitive configuration files, user data, or other locally stored resources, potentially exposing confidential information. If the included file contains executable code, there may also be a risk of code execution or privilege escalation within the WordPress environment.

The issue affects installations of the CSV to SortTable plugin dated 4.2 or earlier. Any WordPress site that has authenticated contributors or higher roles and has the plugin active is vulnerable. The vendor is listed as Unknown, but the plugin is a common WordPress extension used by public and private sites.

The CVSS score of 6.6 indicates a medium to high impact severity. The EPSS score of less than 1% shows that, while the vulnerability exists, the likelihood of exploitation in the wild is very low at present, and it is not listed in CISA’s KEV catalog. Exploitation requires authenticated access; therefore, attackers must either compromise a contributor account or maintain access through social engineering. Once authenticated, the short‑code manipulation can be carried out without further privileges, making the attack straightforward for an attacker who already has contributor access.